"Hey check out this video! http://tinyurl.com/xyz,"; says an old friend by Google Talk IM. Well sure, you think, I'd love to see a video from you - it's been a long time! Maybe you got an IM like that this afternoon, too. Maybe you got six.
There's nothing wrong with clicking on such a link, but when the site that loads as a result, Viddyho.com, asks for your Google Talk username and password in order to view the video - then you should know that trouble is afoot. Surprisingly, a whole lot of tech savvy people fell for it today. Update: The Harvard Crimson says it has unearthed the person responsible for the Viddyho worm.
Daniel Carroll reported tonight on the Harvard Crimson newspaper's site that he did a little tracing backwards, further than other reporters on the story had, and found that a San Franciscan named Hoan Ton-That appears to be responsible for the site that was harvesting the user credentials of worm victims. Ton-That's web hosting account has been suspended, Carroll reports that he's learned from the company. The alleged author of the worm didn't respond to his requests for comment but has a twitter account here and apparently was in this author's home town of Portland, Oregon just last week. (We were not plotting the attack together, I swear.) Ton-That's Twitter bio reads: "Anarcho-Transexual Afro-Chicano American Feminist Studies Major" - which sounds like either an immature joke or a pretty bad ass bio to us.
The Tech Issues
We do think there are some big issues to discuss here, too, though.
The fact that many otherwise tech savvy people are falling for this trap shows that legitimate experiments in user authentication (like OpenID) still have a whole lot of explaining to do and secure APIs need more adoption. This could just as easily have been Facebook or Twitter that hijacked your Google Talk account - we give them our passwords and just trust that they won't.